Ubuntu Security Notice 2631-1 – Jan Beulich discovered the Xen virtual machine subsystem of the Linux kernel did not properly restrict access to PCI command registers. A local guest user could exploit this flaw to cause a denial of service (host crash). A privilege escalation was discovered in the fork syscall via the int80 entry on 64 bit kernels with 32 bit emulation support. An unprivileged local attacker could exploit this flaw to increase their privileges on the system. Various other issues were also addressed.
Monthly Archives: June 2015
Ubuntu Security Notice USN-2632-1
Ubuntu Security Notice 2632-1 – Jan Beulich discovered the Xen virtual machine subsystem of the Linux kernel did not properly restrict access to PCI command registers. A local guest user could exploit this flaw to cause a denial of service (host crash). A privilege escalation was discovered in the fork syscall via the int80 entry on 64 bit kernels with 32 bit emulation support. An unprivileged local attacker could exploit this flaw to increase their privileges on the system. Various other issues were also addressed.
Red Hat Security Advisory 2015-1088-01
Red Hat Security Advisory 2015-1088-01 – KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM. A flaw was found in the way QEMU’s AMD PCnet Ethernet emulation handled multi-TMD packets with a length above 4096 bytes. A privileged guest user in a guest with an AMD PCNet ethernet card enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process.
2 vulns 1 line in RNCryptor (PHP) + Call to Action
Posted by Scott Arciszewski on Jun 10
Hi Full Disclosure,
RNCryptor is a data format specificiation for AES encryption, with AES-256,
Their PHP implementation has two vulnerabilities in the same line of code,
which looks like this:
return ($components->hmac == $this->_generateHmac($components, $hmacKey));
The issues here:
1. A timing side-channel.
2. Use of the == operator can treat strings as floats, depending on the
input
We have opened a Github issue about this and…
Authentication Bypass in Pandora FMS
Posted by Manuel Mancera on Jun 10
================================================================
Authentication Bypass in Pandora FMS
================================================================
Information
——————–
Name: Pandora FMS – Authentication Bypass
Affected Software : Pandora FMS
Affected Versions: 5.0, 5.1
Vendor Homepage : http://pandorafms.com/
Vulnerability Type : Authentication Bypass
Severity : High
Product
——————–
Pandora FMS (for…
Remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms v3.0beta WordPress plugin
Posted by Larry W. Cashdollar on Jun 10
Title: Remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms v3.0beta WordPress plugin
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-07
Download Site: https://wordpress.org/plugins/aviary-image-editor-add-on-for-gravity-forms
Vendor: Waters Edge Web Design and NetherWorks LLC
Vendor Notified: 2015-06-08
Advisory: http://www.vapid.dhs.org/advisory.php?v=125
Vendor Contact: plugins () wordpress org
Description: A…
This POODLE Bites: Exploiting The SSL 3.0 Fallback
Posted by Bruno Luiz on Jun 10
Introduction
SSL 3.0 [RFC6101] is an obsolete and insecure protocol. While for most practical
purposes it has been replaced by its successors TLS 1.0 [RFC2246], TLS 1.1 [RFC4346],
and TLS 1.2 [RFC5246], many TLS implementations remain backwardscompatible with
SSL 3.0 to interoperate with legacy systems in the interest of a smooth user experience.
The protocol handshake provides for authenticated version negotiation, so normally the
latest…
CVE-2014-8603
cloner.functions.php in the XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! allows remote administrators to execute arbitrary code via shell metacharacters in the (1) file name when creating a backup or vectors related to the (2) $_CONFIG[tarpath], (3) $exclude, (4) $_CONFIG[‘tarcompress’], (5) $_CONFIG[‘filename’], (6) $_CONFIG[‘exfile_tar’], (7) $_CONFIG[sqldump], (8) $_CONFIG[‘mysql_host’], (9) $_CONFIG[‘mysql_pass’], (10) $_CONFIG[‘mysql_user’], (11) $database_name, or (12) $sqlfile variable.
CVE-2014-8604
The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! returns the MySQL password in cleartext to a text box in the configuration panel, which allows remote attackers to obtain sensitive information via unspecified vectors.
CVE-2014-8605
The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! stores database backup files with predictable names under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to a backup file in administrators/backups/.